Re: [FUG-BR] Firewall com pf no freeBSD 7
cara seguinte o ipfw e o filtro de pacote padrão do FreeBSD na linha de comando da um ipfw show e verifica as regras de firewall por padrao vem bloqueado tudo talvez seja por isso que nao esta funcionado seu roteamento fica ai meu cents. - Original Message - From: "Márcio Luciano Donada" <[EMAIL PROTECTED]> To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"" Sent: Monday, November 03, 2008 6:07 PM Subject: Re: [FUG-BR] Firewall com pf no freeBSD 7 Ricardo Augusto de Souza escreveu: > FW2# cat rc.conf > > # -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008 > # Created: Fri Oct 31 08:57:07 2008 > # Enable network daemons for user convenience. > # Please make all changes to this file, not to /etc/defaults/rc.conf. > # This file now contains just the overrides from /etc/defaults/rc.conf. > ken_securelevel="1" > kern_securelevel_enable="YES" > pf_enable="YES" > defaultrouter="189.xxx.xxx.xxx" > gateway_enable="YES" > hostname="FW2.CMT" > ifconfig_bce0="inet 189.xxx.xxx.3 netmask 255.255.255.248" > ifconfig_bce1="inet 10.10.100.252 netmask 255.255.0.0" > inetd_enable="YES" > keymap="br275.cp850" > linux_enable="YES" > sshd_enable="YES" > FW2# > > > FW2# cat rc.local > #alias > ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up > #rotas > route add 10.100.0.0/24 10.100.1.1 > FW2# > > Você pode colocar os alias de interface tudo no rc.conf, veja no [1]. Você falou que recompilou seu kernel mas seu dmesg traz o kernel GENERIC: FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC [1]. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html Abraço, - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Firewall com pf no freeBSD 7
Ricardo Augusto de Souza escreveu: > FW2# cat rc.conf > > # -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008 > # Created: Fri Oct 31 08:57:07 2008 > # Enable network daemons for user convenience. > # Please make all changes to this file, not to /etc/defaults/rc.conf. > # This file now contains just the overrides from /etc/defaults/rc.conf. > ken_securelevel="1" > kern_securelevel_enable="YES" > pf_enable="YES" > defaultrouter="189.xxx.xxx.xxx" > gateway_enable="YES" > hostname="FW2.CMT" > ifconfig_bce0="inet 189.xxx.xxx.3 netmask 255.255.255.248" > ifconfig_bce1="inet 10.10.100.252 netmask 255.255.0.0" > inetd_enable="YES" > keymap="br275.cp850" > linux_enable="YES" > sshd_enable="YES" > FW2# > > > FW2# cat rc.local > #alias > ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up > #rotas > route add 10.100.0.0/24 10.100.1.1 > FW2# > > Você pode colocar os alias de interface tudo no rc.conf, veja no [1]. Você falou que recompilou seu kernel mas seu dmesg traz o kernel GENERIC: FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC [1]. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html Abraço, - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
[FUG-BR] Firewall com pf no freeBSD 7
Ola, sou usuario de openBSD há muitos anos. Sempre utilizei para firewall. Recebi uma maquina de uma outra área da minha empresa para eu usar como firewall só que o openbsd nao é compativel com ela. ( maldita controladora Adaptec). Para resolver este problema, resolvi instalar o FreeBSD nesta maquina q é uma IBM x3550. Habilitei o pf no rc.conf e recompilei o kernel para usar o altq futuramente. Já consegui compartilhar a internet para minha rede local, o problema é que nao consegui rotear / liberar o acesso a rede 10.100.0.0 ( minha rede mpls) para a rede local. Só que nao consigo pingar nem acessar esta maquina 10.100.0.5 dos clientes que estao usando o freebsd como gateway. Só para constar: estou achando o freebsd bem mas rapido do que o openbsd. Segue abaixo os arquivos de conf utilizados. FW2# cat rc.conf # -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008 # Created: Fri Oct 31 08:57:07 2008 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. ken_securelevel="1" kern_securelevel_enable="YES" pf_enable="YES" defaultrouter="189.xxx.xxx.xxx" gateway_enable="YES" hostname="FW2.CMT" ifconfig_bce0="inet 189.xxx.xxx.3 netmask 255.255.255.248" ifconfig_bce1="inet 10.10.100.252 netmask 255.255.0.0" inetd_enable="YES" keymap="br275.cp850" linux_enable="YES" sshd_enable="YES" FW2# FW2# cat rc.local #alias ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up #rotas route add 10.100.0.0/24 10.100.1.1 FW2# FW2# cat pf.conf # variaveis ext_if = "bce0" int_if = "bce1" cmt_lan = "10.10.0.0/24" cmt_lan_ti = "10.10.20.0/24" cmt_lan_callcenter = "10.10.60.0/24" rede_mpls = " 10.100.0.0/24 " tcp_out_ports = "{ 53, 80, 443 }" # run time options scrub in all # nat nat on $ext_if from $cmt_lan to any port $tcp_out_ports tag CMT_LAN -> ($ext_if) nat on $ext_if from $cmt_lan_ti to any tag CMT_LAN_TI -> ($ext_if) nat on $ext_if from $cmt_lan_callcenter port $tcp_out_ports to any tag CMT_LAN_CALLCENTER -> ($ext_if) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $cmt_lan_ti to any port 21 -> \ 127.0.0.1 port 8021 anchor "ftp-proxy/*" pass out proto tcp from any to any port 21 pass in on $int_if from any to any modulate state pass out on $int_if from any to any modulate state pass out on $ext_if from $ext_if to any modulate state FW2# FW2# ping 10.100.0.5 PING 10.100.0.5 (10.100.0.5): 56 data bytes 64 bytes from 10.100.0.5: icmp_seq=0 ttl=126 time=5.250 ms 64 bytes from 10.100.0.5: icmp_seq=1 ttl=126 time=8.325 ms 64 bytes from 10.100.0.5: icmp_seq=2 ttl=126 time=6.169 ms 64 bytes from 10.100.0.5: icmp_seq=3 ttl=126 time=8.943 ms ^C --- 10.100.0.5 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 5.250/7.172/8.943/1.514 ms # FW2# nc -v 10.100.0.5 80 Connection to 10.100.0.5 80 port [tcp/http] succeeded! ^C FW2# FW2# cat sysctl.conf # $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. #security.bsd.see_other_uids=0 security.bsd.see_other_uids=0 net.inet.ip.check_interface=1 # protection against spoof ip packets net.inet.ip.random_id=1 net.inet.ip.fastforwarding=1 net.inet.ip.process_options=0 net.inet.icmp.maskrepl=0 net.inet.tcp.blackhole=2 # blackhole pings, traceroutes, etc. net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window net.inet.tcp.sack.enable=1 net.inet.tcp.delayed_ack=0 net.inet.tcp.keepidle=30 net.inet.tcp.keepintvl=150 net.inet.tcp.recvspace=65535 net.inet.tcp.sendspace=65535 net.inet.udp.recvspace=65535 net.inet.udp.blackhole=1 net.inet.udp.maxdgram=57344 net.local.stream.recvspace=65535 net.local.stream.sendspace=65535 kern.fallback_elf_brand=3 kern.polling.enable=1 # network interface pooling instead interrupt request kern.ipc.shm_use_phys=1 # kernel to lock shared memory into RAM # and prevent it from being paged out to swap kern.ipc.maxsockbuf=2097152 # Buffers de socket para novas conexoes kern.ipc.somaxconn=8192 kern.maxfiles=65536 kern.maxfilesperproc=32768 vfs.vmiodirenable=1 FW2# FW2# cat /root/dmesg.txt Copyright (c) 1992-2008 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU
[FUG-BR] firewall com PF
Pessoal, sempre utilizei o IPFilter no FreeBSD pra montar meus firewalls, mas agora estou comecando a estudar o PF, pois me parece ser muito bom. Sempre que montava um firewall em ipfilter, eu rodava o nessus pra verificar a seguranca, e sempre estava muito bem configurado, e o nessus na maioria das vezes nao encontrava nenhum problema de seguranca, e muitas vezes, o nessus ate pensava que o IP nao existia ou coisa parecida, pois ele dava uma mensagem que nao era possivel encontrar o host. Pois bem, agora com o PF, nao estou acertando nas configuracoes de firewall, pois o nessus sempre encontra furos. Ja li varias vezes o documento oficial do PF no site do OpenBSD, ja olhei todos os arquivos dentro de /usr/share/examples/pf/ no FreeBSD, e tambem varias dicas na internet, mas ate agora nada resolveu meu problema. No firewall de teste que estou montando aqui, tenho rodando pra rede Externa apenas o SSH, que no meu caso roda na porta 50.000, e pra rede interna o Apache (porta 80) por causa dos relatorios do Sarg e o Squid na porta 3128. E dentro dos arquivos squid.conf e httpd.conf, esta configurado pra rodar no ip da rede local. exemplo: 192.168.0.1:3128(squid) 192.168.0.1:80(apache). quando executo o comando sockstat ele mostra que esta rodando apenas na interface da rede local mesmo. Mas pelo nessus, ele diz que a porta 80 esta livre e com furos. Tenho redes separadas aqui na empresa onde trabalho, e varios links de internet separados tambem, entao quando utilizo o nessus pra fazer esses testes, tenho certesa de que nao estou testando pela rede interna LAN. As configuracoes deste firewall sao exatamente iguais as dos firewall que montava usando IPFilter, a unica coisa que esta diferente agora e que uso o PF. Abaixo colocarei algumas informacoes dos arquivos de configuracao que tenho neste novo firewall, e tambem o relatorio que o nessus me da quando rodo o teste. Se alguem puder me apontar onde estou errando, ou como melhorar a seguranca deste firewall, agradeco desde ja a ajuda!!! -- RELATORIO NESSUS -- 201.24.73.106 1 Open Ports, 11 Notes, 2 Warnings, 1 Holes. http (80/tcp) The proxy, allows everyone to perform requests against arbitrary ports, like 'GET http://cvs.nessus.org:110'. This problem may allow attackers to go through your firewall, by connecting to sensitive ports like 25 (sendmail) using your proxy. In addition to that, your proxy may be used to perform attacks against other networks. Solution reconfigure your proxy so that it only accepts connections against non-dangerous ports (> 1024). Risk Factor : High Plugin ID : 10193 Synopsis : The remote web proxy server accepts requests. Description : The remote web proxy accepts unauthenticated HTTP requests from the Nessus scanner. By routing requests through the affected proxy, a user may be able to gain some degree of anonymity while browsing web sites, which will see requests as originating from the remote host itself rather than the user's host. Solution Reconfigure the remote proxy so that it only accepts requests coming from inside your network. Risk Factor : Low / CVSS Base Score : 2.3 (AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N) Plugin ID : 10195 The proxy accepts gopher:// requests. Gopher is an old network protocol which predates HTTP and is nearly unused today. As a result, gopher-compatible software is generally less audited and more likely to contain security bugs than others. By making gopher requests, an attacker may evade your firewall settings, by making connections to port 70, or may even exploit arcane flaws in this protocol to gain more privileges on this host (see the attached CVE id for such an example). Solution: reconfigure your proxy so that it refuses gopher requests. Risk Factor : Medium CVE : CVE-2002-0371 BID : 4930 Other references : OSVDB:3004 Plugin ID : 11305 Port is open Plugin ID : 11219 A web server is running on this port Plugin ID : 10330 An HTTP proxy is running on this port Plugin ID : 10330 The GET method revealed those proxies on the way to this web server : HTTP/1.0 hercules-mmc.redesuperauto.com.br:3128 (squid/2.6.STABLE10) Plugin ID : 11040 Synopsis : A web server is running on the remote host. Description : This plugin attempts to determine the type and the version of the remote web server. Risk Factor : None Plugin output : The remote web server type is : squid/2.6.STABLE10 Plugin ID : 10107 Synopsis : Some information about the remote HTTP configuration can be extracted. Description : This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem Solution: None. Risk Factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) Plugin output : Protocol version : HTTP/1.0 SSL : no Pipelining : no Keep-Alive : no Options allowed : (Not implemented) Heade